Bug 32584

Summary: python-cryptography new security issues CVE-2023-49083, CVE-2023-50782 and CVE-2024-26130
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: Python Stack Maintainers <python>
Status: NEW --- QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa, yvesbrungard
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://github.com/pyca/cryptography/pull/9926
Whiteboard: MGA9TOO
Source RPM: python-cryptography-41.0.4-2.mga10.src.rpm CVE: CVE-2023-49083, CVE-2023-50782, CVE-2024-26130
Status comment: Patches available from Ubuntu and upstream

Description Nicolas Salguero 2023-11-30 12:14:46 CET 
CVE-2023-49083 was announced on November 29:
https://www.openwall.com/lists/oss-security/2023/11/29/2

Mageia 8 and 9 are also affected.
Nicolas Salguero 2023-11-30 12:15:11 CET

Whiteboard: (none) => MGA9TOO, MGA8TOO
Source RPM: (none) => python-cryptography-41.0.4-2.mga10.src.rpm

Comment 1 Lewis Smith 2023-11-30 12:38:34 CET 
I have noted the URL about a fix proposed but debated, ongoing, and may want a Github account to follow.
Assigning to Python team, CC'ing Jani & Yves who have done recent versions.

URL: (none) => https://github.com/pyca/cryptography/pull/9926
CC: (none) => jani.valimaa, yvesbrungard
Assignee: bugsquad => python
Status comment: (none) => Patch in progress

papoteur 2023-12-01 09:44:47 CET

CVE: (none) => CVE-2023-49083

Comment 2 Nicolas Salguero 2024-03-07 16:15:54 CET 
Ubuntu has issued an advisory on March 5:
https://ubuntu.com/security/notices/USN-6673-1

Whiteboard: MGA9TOO, MGA8TOO => MGA9TOO
CVE: CVE-2023-49083 => CVE-2023-49083, CVE-2023-50782, CVE-2024-26130
Summary: python-cryptography new security issue CVE-2023-49083 => python-cryptography new security issues CVE-2023-49083, CVE-2023-50782 and CVE-2024-26130
Status comment: Patch in progress => Patches available from Ubuntu and upstream

papoteur 2024-04-09 17:51:05 CEST

Status comment: Patches available from Ubuntu and upstream => (none)
Assignee: python => qa-bugs

Comment 3 papoteur 2024-04-09 18:40:55 CEST 
Sorry, mismatch in report, restoring data

Assignee: qa-bugs => python
Status comment: (none) => Patches available from Ubuntu and upstream

Comment 4 Nicolas Salguero 2024-05-28 15:32:57 CEST 
Ubuntu has issued an advisory on May 27 for CVE-2024-26130:
https://ubuntu.com/security/notices/USN-6673-3